[ISN] Clarke rips Microsoft over security

InfoSec News isn at c4i.org
Fri Feb 18 04:28:08 EST 2005


February 17, 2005

SAN FRANCISCO -- Don't expect Richard Clarke to rely on Microsoft
Corp.'s anti-virus or anti-spyware programs to protect his own

"Given their record in the security area, I don't know why anybody
would buy from them," the former White House cybersecurity and
counterterrorism adviser said yesterday, when asked for his thoughts
on Microsoft's forthcoming line of security software.

The observation came during an impromptu interview on the sidelines of
the RSA computer security conference in San Francisco, where Clarke
took part in panel discussions with other experts in technological and
national security.

His take on Microsoft's planned security-software offerings
underscores one of the major challenges the Redmond company will face
as it proceeds -- the fact that many of the online threats encountered
by computer users take advantage of vulnerabilities in the company's
own products.

Microsoft has been trying to reduce and fix vulnerabilities as part of
a broader companywide initiative to improve security and related

Bill Gates this week also announced plans to supplement those efforts
by offering anti-spyware software free to individual Windows users.  
The company also plans to release an anti-virus product this year and
introduce a new version of Internet Explorer this summer -- about a
year sooner than expected -- to boost security.

But Clarke, during one panel discussion yesterday, called on Microsoft
and other software companies to become more publicly accountable in
their efforts to develop secure software. He said he asked Microsoft
last year to disclose the specific quality-assurance practices it was
following in the pursuit of more-secure software code.

The idea, he said, would be for the software industry to collectively
come up with a set of best practices for secure software development.  
Outside experts would then be able to judge how well each company
lives up to those practices.

"There's no fine involved, there's no liability involved, but the
marketplace is better informed, and the marketplace works better when
it knows what's going on," Clarke said, drawing a round of applause
from the crowd at San Francisco's Moscone Center. Panelists compared
the concept to the effort to hold public companies to standards for
financial reporting under the Sarbanes-Oxley Act.
Asked about the issue afterward, Clarke acknowledged that he doesn't
believe Microsoft would ever agree to such a plan.

In a statement responding to Clarke's comments, Microsoft said it has
formalized its internal security efforts by adopting an official life
cycle that it uses to develop secure software, in addition to
publishing books and other materials about the methods it follows. At
the same time, the company said it makes its security-related tools
available to independent developers, works with other companies on
security issues and offers formal training on security.

"The market is demanding security now, and that hard work is going
forward already," said Amy Roberts, director of product management in
Microsoft's Security Business and Technology Unit, in the statement.

During a panel discussion on technology regulation, Rick White, a
former Republican congressman from Washington state, agreed with
Clarke that it would be good to establish visible standards by which
companies could be judged in the marketplace.

"I think that's a blueprint for something that probably works," said
White, now chief executive of technology lobbying organization
TechNet. "It's just a question of how far you get the government

But on the subject of government involvement, White and Clarke
disagreed, as illustrated by a related discussion of Internet service
providers. Clarke said he would want to see government regulation of
ISPs to ensure that they offer adequate levels of security to their

But White warned that regulation in general could hinder technological

"We have a great thing going in terms of innovation in this country,"  
he said. "We're leading the world and we need to be able to continue
to do that."

Another panelist, security expert Bruce Schneier, said it was
important to remember that the underlying goal of software companies
is financial, no matter how well intentioned their security efforts.

"Companies are not charities," Schneier said. "They don't do this
stuff out of the goodness of their heart. They do it because the
marketplace demands it, they do it because liability demands it, they
do it because regulation demands it, they do it because competition
demands it. Something has to demand it."

Along those lines, he said, "The marketplace will only go so far."

Clarke, who advised four presidents, rose to a new level of prominence
last year with charges that President Bush failed to take the
terrorist threat seriously prior to the Sept. 11 terrorist attacks. A
book by Clarke and his testimony before the 9/11 Commission detailed
his efforts to sound the alarm about terrorism. He raised similar
themes yesterday, saying that industry and government need to pay
greater attention to the risk of cyberterrorism.

"Regulation is neither good nor bad -- it depends upon the industry
and the regulation. There is smart regulation. But industry should
bear this in mind when they resist any regulation: After we have a
major incident, there will be much worse regulation than you could get

More information about the ISN mailing list